JS: Support transitive callback-passing

asgerf · asgerf · commit db1de18cc24f · 2021-09-08T13:08:16.000+02:00
diff --git a/javascript/ql/lib/semmle/javascript/dataflow/internal/FlowSteps.qll b/javascript/ql/lib/semmle/javascript/dataflow/internal/FlowSteps.qll
@@ -450,6 +450,18 @@ private module CachedSteps {
     )
   }
 
+  /** Gets a function that flows to `parameter` via one or more parameter-passing steps. */
+  cached
+  DataFlow::FunctionNode getACallbackSource(DataFlow::ParameterNode parameter) {
+    Stages::TypeTracking::ref() and
+    callStep(result.getALocalUse(), parameter)
+    or
+    exists(DataFlow::ParameterNode mid |
+      callStep(mid.getALocalUse(), parameter) and
+      result = getACallbackSource(mid)
+    )
+  }
+
   /**
    * Holds if `f` may return `base`, which has a write of property `prop` with right-hand side `rhs`.
    */
diff --git a/javascript/ql/lib/semmle/javascript/dataflow/internal/StepSummary.qll b/javascript/ql/lib/semmle/javascript/dataflow/internal/StepSummary.qll
@@ -158,10 +158,9 @@ private module Cached {
     )
     or
     // Add 'return' steps from callback arguments to callback parameters
-    exists(DataFlow::ParameterNode cbParam, DataFlow::FunctionNode cbFun, int i |
-      callStep(cbFun, cbParam) and
-      pred = cbParam.getAnInvocation().getArgument(i) and
-      succ = cbFun.getParameter(i) and
+    exists(DataFlow::ParameterNode parameter, int i |
+      pred = parameter.getAnInvocation().getArgument(i) and
+      succ = getACallbackSource(parameter).getParameter(i) and
       summary = ReturnStep()
     )
   }
diff --git a/javascript/ql/test/library-tests/TypeTracking/ClassStyle.expected b/javascript/ql/test/library-tests/TypeTracking/ClassStyle.expected
@@ -39,6 +39,8 @@ test_Connection
 | tst.js:114:1:114:28 | getX({  ... on() }) |
 | tst.js:114:11:114:25 | getConnection() |
 | tst.js:118:12:118:26 | getConnection() |
+| tst.js:120:21:120:24 | conn |
+| tst.js:126:22:126:25 | conn |
 | tst_conflict.js:6:38:6:77 | api.cha ... ction() |
 test_DataCallback
 | client.js:3:28:3:34 | x => {} |
diff --git a/javascript/ql/test/library-tests/TypeTracking/PredicateStyle.expected b/javascript/ql/test/library-tests/TypeTracking/PredicateStyle.expected
@@ -42,6 +42,7 @@ connection
 | type tracker without call steps | tst.js:114:11:114:25 | getConnection() |
 | type tracker without call steps | tst.js:118:12:118:26 | getConnection() |
 | type tracker without call steps | tst.js:120:21:120:24 | conn |
+| type tracker without call steps | tst.js:126:22:126:25 | conn |
 | type tracker without call steps | tst_conflict.js:6:38:6:77 | api.cha ... ction() |
 | type tracker without call steps with property MyApplication.namespace.connection | file://:0:0:0:0 | global access path |
 | type tracker without call steps with property conflict | tst.js:63:3:63:25 | MyAppli ... mespace |

Original file line number	Diff line number	Diff line change
`@@ -158,10 +158,9 @@ private module Cached {`
`158`	`158`	`)`
`159`	`159`	`or`
`160`	`160`	`// Add 'return' steps from callback arguments to callback parameters`
`161`		`- exists(DataFlow::ParameterNode cbParam, DataFlow::FunctionNode cbFun, int i \|`
`162`		`- callStep(cbFun, cbParam) and`
`163`		`- pred = cbParam.getAnInvocation().getArgument(i) and`
`164`		`- succ = cbFun.getParameter(i) and`
	`161`	`+ exists(DataFlow::ParameterNode parameter, int i \|`
	`162`	`+ pred = parameter.getAnInvocation().getArgument(i) and`
	`163`	`+ succ = getACallbackSource(parameter).getParameter(i) and`
`165`	`164`	`summary = ReturnStep()`
`166`	`165`	`)`
`167`	`166`	`}`